Amcham Letter on European Cybersecurity Certification Scheme for Cloud Services
Dear government officials,
We are writing to you to express our concern for the current developments related to the EU Cybersecurity Certification Scheme for Cloud Services (EUCS) that is being developed by the European Union Agency for Cybersecurity (ENISA). The EUCS developed from the Cybersecurity Act of 2019 and was intended to create a unified cloud certification scheme in the EU and allow for the free flow of cloud services.
During the process it has, however, branched out to political issues outside of ENISA’s mandate. We are particularly concerned about the potential inclusion of unhelpful “digital sovereignty” requirements that risk negatively impacting both international and European providers of cloud, as well as the wide array of Finnish organizations that use cloud and require a high-level of cybersecurity assurance. The sovereignty requirements require a cloud provider to have a global headquarters based in Europe and full EU-ownership.
These preconditions raise serious concerns for many Finnish companies – in particular in regulated industries with high cybersecurity needs, since a large number of these acquire cloud services from US-based cloud service providers, many of which are market leading in both technical innovation and cybersecurity. Finnish companies are the most active cloud users in Europe1 and many organizations have made significant strategic investments in cloud services to both innovate, improve services offered to clients and to secure operational resilience.
In its current form, the EUCS risks putting these investments in jeopardy, without a clear cybersecurity benefit.
The proposed requirements, particularly the proposed ownership requisites, will create significant entry barriers for non-EU headquartered companies and EU companies with international or global operations. This will limit competition in the cloud market, raise costs and reduce the selection of trusted technology partners for businesses, ultimately hindering innovation and digital transformation capacities in the EU.
The European cloud market cannot currently sustain the needs of EU demand without international cloud service providers, both in terms of quantity and quality. Introducing these requirements would thus lead to a reliance on a very limited number of providers offering adequate services, resulting in a risk of “reversed concentration.” This would dramatically impact companies’ ability to select the technology and cloud service providers that best meet their operational needs. It would also create unnecessary obstacles to information-sharing between organizations, which is an essential tool for reducing cybersecurity risk. Data localization requirements, in particular, would increase the costs of maintaining state-of-the-art solutions and reduce alternative storage in the event of data losses or network outages.
EU Members States are not in unanimous agreement about introducing these requirements and several countries are signaling their support for discussing, defining and clarifying a common position on sovereignty at the political level, instead of introducing these requisites in the EUCS. While Finland, represented by the Cybersecurity Authority, has opposed these requirements, we respectfully encourage the Government to recognize the significance of this process and the wide implications it might have on the competitiveness and cybersecurity of Finnish companies and the wider market. We would welcome Finland taking a more active role in the opposition of the requirements that is commensurate with the risk it represents for the continued digitalization and innovation.
We also want to express our concern about the limited transparency and lack of stakeholder engagement that have characterized EUCS discussions throughout the scheme’s development. In contrast to a regular legislative process, it has been extremely difficult for stakeholders to receive information about the status and content of the decision making on EUCS. The process has been far removed from the principles of openness and transparency that are such key values in Finland. The role of stakeholders, including industry, and the reliance on consensus-based international standards are vital to ensure that cybersecurity requirements are indeed effective. The companies we represent support the EU’s ambitions to tackle global cyber threats and protect citizens, institutions and businesses through cybersecurity certifications. We do not, however, believe that the current sovereignty requirements support these goals.
We respectfully urge the Finnish Government to require ENISA and the European Commission to inform stakeholders of the state of the discussion and engage with them throughout the finalization process to ensure that the EUCS does not include unnecessary and discriminatory requirements. We thank you for your attention and are always available for further discussions and deliberations on this subject.
Chief Executive Officer
Director of Communications & Network Impact
+358 50 430 3443
Access your business needs with Amcham Finland in a 15-minute call.
Call Katie Girow at +358 45 162 8449!